can i allow to edit records in tables only for record owners?

[vetsinen]

can i allow to edit records in tables only for record owners, if owners id is saved as foreign key?

[sinisaos]

@vetsinen You can try using the new Piccolo Admin feature and write custom validators for this purpose and pass them to TableConfig. Of course, the superuser can still do anything on the tables. Hope that helps.

[dantownsend]

Yeah, as @sinisaos said - validators are probably the best approach.

We just added support for async validators in Piccolo API - so make sure you upgrade to the latest version.

You can then do something like this:

from piccolo_api.crud.endpoints import PiccoloCRUD
from piccolo_api.session_auth.tables import SessionsBase as _SessionsBase
from piccolo.columns.column_types import Varchar, ForeignKey
from piccolo.apps.user.tables import BaseUser as _BaseUser
from piccolo.table import Table, create_db_tables_sync
from piccolo_admin.endpoints import create_admin, TableConfig
from piccolo_api.crud.validators import Validators
from piccolo.engine.sqlite import SQLiteEngine
from starlette.exceptions import HTTPException
from starlette.requests import Request


DB = SQLiteEngine()


class BaseUser(_BaseUser, db=DB):
    pass


class SessionsBase(_SessionsBase, db=DB):
    pass


class MyTable(Table, db=DB):
    data = Varchar()
    user = ForeignKey(BaseUser, null=False)


###############################
# The important bit

async def owner_only(piccolo_crud: PiccoloCRUD, request: Request):
    row_id = request.path_params["row_id"]

    if not await MyTable.exists().where(
        MyTable.id == int(row_id),
        MyTable.user == request.user.user
    ):
        raise HTTPException('Only the owner can edit this row.')


app = create_admin(
    tables=[
        BaseUser,
        TableConfig(MyTable, validators=Validators(patch_single=[owner_only])),
    ],
    auth_table=BaseUser,
    session_table=SessionsBase,
)

###############################

if __name__ == '__main__':
    create_db_tables_sync(MyTable, BaseUser, SessionsBase, if_not_exists=True)

    if not BaseUser.exists().where(BaseUser.username == 'piccolo').run_sync():
        BaseUser.create_user_sync(
            username='piccolo',
            password='piccolo123',
            email="[email protected]",
            admin=True,
            active=True,
            superuser=True
        )

    if not BaseUser.exists().where(BaseUser.username == 'other_user').run_sync():
        BaseUser.create_user_sync(
            username='other_user',
            password='other_user123',
            email="[email protected]",
            admin=True,
            active=True,
            superuser=True
        )

    import uvicorn
    uvicorn.run(app)

[dantownsend]

Yes, you're right - it should be a list. I'll change it to validators=Validators(post_single=[manager_only]).

I think this should work manager = await Manager.exists().where(manager.user == user) - Piccolo should automatically convert a table instance into the id.

[sinisaos]

I think this should work manager = await Manager.exists().where(manager.user == user) - Piccolo should automatically convert a table instance into the id.

Yes. You're right. Sorry about that.

[dantownsend]

No worries. I've created a PR to fix it: #253

Unfortunately a bunch of the tests are failing, so will have to fix them first. Starlette's test client now uses httpx instead of requests under the hood, which is making a lot of the tests fail in subtle ways.

[sinisaos]

Great. Thanks. I see you are having the same problems in the Piccolo API with this braking backwards compatibility with the new Starlette Testclient. I hope it's not too much work.

[dantownsend]

I'll try and fix the tests this evening. Starlette 0.21.0 has been such a huge pain in the ass! It broke the Piccolo integration tests multiple times too. But now all of the ASGI libraries support this new version, life will be much easier. And httpx is superior to requests so I can see why they did it.